According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on a specially crafted URL to be compromised by the attacker. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine. How do I know if my connector does not have a per-connector redirect URI? Microsoft notified affected customers about this change in behavior via Microsoft 365 Admin Center (MC690931) or Service Health in the Azure Portal (3_SH-LTG) starting on November 17th, 2023. You will need to validate your custom connectors and follow the guidance to make the switch to the per-connector URI. How do I know if a notification was sent to my organization? Notifications were sent to customers via the Microsoft 365 Admin Center using a Data Privacy tag. This means that only users with a global administrator role or a Message center privacy reader role can view the notification. These roles are appointed by your organization. You can learn more about these roles and how to assign them at https://azure.microsoft.com/en-us/blog/understanding-service-health-communications-for-azure-vulnerabilities/. If you are a Logic Apps customer, a notification was sent via Service Health in the Azure Portal under tracking ID 3_SH-LTG. What is the nature of the spoofing? An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim.
Kaixuan Luo with Summer Intern @ Samsung Research America, PhD Student @ The Chinese University of Hong Kong, Adonis Fung with Samsung Research America, <a href="https://twitter.com/sanebow">Xianbo Wang (@sanebow)</a> with The Chinese University of Hong Kong, Wing Cheong Lau with The Chinese University of Hong Kong